HHS Calls on Healthcare Sector to Strengthen Security Measures for PHI and Devices

Federal regulators are currently advising healthcare organizations and their third-party vendors to enhance the security of their systems, software, and medical devices to better protect sensitive patient information. This guidance from the U.S. Department of Health and Human Services (HHS) emphasizes the need for continual vulnerability assessments, regular software updates, proper security configurations, and the removal of unnecessary applications.

As noted in recent guidance from the HHS Office for Civil Rights, effectively defining and implementing system hardening techniques is an ongoing process and cannot be treated as a one-time task. The HHS underlines that hardening is not just critical for data security but also vital for patient safety, particularly given that medical devices often lack adequate security measures and are not frequently updated.

Mike Hamilton, Chief Information Security Officer at Lumifi Cyber, highlighted the challenges of vulnerability management within the healthcare landscape, calling it “critically important yet fantastically difficult.” The FDA mandates that manufacturers assess the cybersecurity risks of devices before market entry, but ongoing responsibilities—including patch management and system segmentation—lie with the healthcare practices utilizing these devices. The HHS has urged medical facilities to review existing FDA guidance regarding cybersecurity measures for medical devices.

Data breaches stemming from unpatched vulnerabilities, outdated software, and misconfigured security settings are alarmingly common, as evidenced by the HHS’s HIPAA Breach Reporting Tool, which lists incidents affecting 500 or more individuals. Regulatory attorney Layna Rush from Baker Donelson emphasized that the majority of healthcare breaches arise from fundamental security oversights, underscoring the importance of conducting thorough risk analyses that lead to tangible remediation efforts.

The HHS recommends comprehensive assessments of various technologies—including operating systems, electronic health records, databases, and mobile applications—to strengthen vulnerability mitigation strategies. However, the slow approval processes associated with the FDA often hamstring healthcare entities, forcing them to continue using devices with outdated operating systems, which can further expose them to risks.

As criminal organizations and nation-state actors increasingly exploit vulnerabilities shortly after identification and patch release, proactive measures are essential. Rush advises that organizations regularly update their asset inventories and incorporate processes for decommissioning outdated technologies to mitigate associated risks. The recent focus of HHS OCR on scrutinizing security risk management practices within regulated entities emphasizes the need for robust compliance with HIPAA mandates.

While multiple hardening guidelines are available, it is recommended that healthcare organizations rely solely on those approved by HHS or the FDA to limit liability concerning the technologies they currently operate. The stakes are high, as the repercussions of security deficiencies not only affect compliance but also jeopardize patient care.